Enable the Data Volume Index and Install the Data Volume App

You must be an Administrator to perform this step.

The Data Volume Index provides data that allows you to understand your account’s data ingest volume in bytes and number of log messages processed overall. The Data Volume Index gives you better visibility into how much data you are sending to Sumo Logic, allowing you to proactively manage your systems’ behavior and to fine tune your data ingest with respect to the data plan tied to your Sumo Logic subscription.

Once enabled, you can access the Data Volume Index using the search query: _index=sumologic_volume

Once the Audit Index and Data Volume apps are installed, they will appear in your Personal library. We recommend that you publish these folders, to prevent others from having to install these apps on their own.

Enable the Sumo Logic Support Account

You must be an Administrator to perform this step.

Administrators can decide to enable a Sumo Logic support account, which grants very select Sumo Logic representatives access to your organization's account, allowing them to resolve issues that arise. Admins can choose to keep the Support Account enabled full-time, or the account can be disabled when no issues are being investigated.

When a support account is enabled, a special user is added to your organization's Sumo Logic account, named Sumo Logic Support. This is the user that Sumo Logic support agents will use to log into your organization's account to troubleshoot issues. If you disable your support account, the Sumo Logic Support user account is disabled. It's important to remember to capture any content created by the Sumo Logic user account before disabling it.

Create a Source Category Naming Convention

A robust source category naming scheme will offer the following advantages:

It simplifies searching syntax and scope definition. This is the primary reason for doing this, as it will make Sumo Logic easier to use. Ideally, users should be able to easily run searches across all related logs sourced from different machines.

_sourceCategory=OS/Windows/* … instead of …(_collector=win_2008_server1 OR _collector=win_2012_server1 OR _collector=win_2008_server2)

It simplifies the configuration of Role-Based Access Controls (RBAC). For example, you may need to create a new role, titled, “Network Engineer”. The rule associated with that role could be _sourceCategory=Networking/*. This metadata tag would then be prepended to all queries executed by someone with this role.

It helps create intuitive partition schemes that do not require editing. Ideally, you will never have to edit partitions. Editing partitions currently requires a new name to be created, which means users will have to be reeducated. To learn more about partitioning your data, see Partitions.

Start with the most generic description of your messages on the left and add layers of increasingly specific data descriptors to the right. Depending on the complexity of your organization and your technology stack, you can have many layers in your source category name. Here are a few examples:

Networking/Firewall/Cisco/FWSM

Networking/Switch/Cisco/ASA

OS/Windows/2012/Security

Prod/Sumologic/Web/Apache/Access

Review the Documentation

Review the complete set of Sumo Logic product documentation on DocHub, which will help you get started with our service.